Friday, March 11, 2011

A rare “encrypted laptop” Just thought I'd let you know that it does happen on occasion!

Stolen laptop creates concern for OrthoMontana patients

By Dissent, March 11, 2011

Rob Rogers reports:

OrthoMontana is scrambling to warn current and past patients that their personal information may be on a laptop computer that was recently stolen from the company.

The Billings orthopedic and sports medicine practice has sent letters across the city to those who may have been impacted.


The laptop was heavily encrypted — two sets of user names and passwords plus a “biometric finger scan” was required to access its files, he said.

Read more in the Billings Gazette.

It’s nice to see a stolen laptop that actually had more than just a user/pass to access and this may give the practice safe harbor in terms reporting the incident to HHS. We’ll have to wait to see if it is reported to them. There is no statement on the OrthoMontana site at this time.

The old, “It could be worse” argument? Perhaps this is just an honest look at the future.

DHS: We Have the Authority to Routinely Strip-Search Air Travelers

March 11, 2011 by Dissent

From EPIC:

The Department of Homeland Security told a federal court that the agency believes it has the legal authority to strip search every air traveler. The agency made the claim at oral argument in EPIC’s lawsuit to suspend the airport body scanner program. The agency also stated that it believed a mandatory strip search rule could be instituted without any public comment or rulemaking. EPIC President Marc Rotenberg urged the Washington, DC appeals court to suspend the body scanner program, noting that the devices are “uniquely intrusive” and ineffective. EPIC’s opening brief in the case states that the Department of Homeland Security “has initiated the most sweeping, the most invasive, and the most unaccountable suspicionless search of American travelers in history,” and that such a change in policy demands that the TSA conduct a notice-and-comment rule making process. The case is EPIC v. DHS, No. 10-1157. For more information, see EPIC: EPIC v. DHS and EPIC: Whole Body Imaging Technology.

Another escalation of power by 'grand frère' (Interesting that translates “Big Brother” as “Big Brother”)

France re-writes the rules of data retention

March 11, 2011 by Dissent

Peter Fleischer writes:

When Europe introduced a Data Retention Directive in 2006, it struck a very very careful political and legal balance between the interests of privacy and the interests of Law Enforcement/ Government access to data. The core distinction of the laws was to impose an obligation on service providers to retain and produce traffic data relating to communications, but to exclude contents of communications.


Surprisingly, very few people have noticed what just happened in France. The law (decree, technically) adopted a few days ago in France up-ended the careful political/legal balance of the Directive by inserting one little word: “passwords”.

Read more on Peter Fleischer: Privacy…?

A Cloud Computing assessment?

Data Protection and Privacy: Hitting a Real World Wall

March 11, 2011 by Dissent

Laurence Eastham writes:

With doubts about implementation of the EU’s ‘cookie consent’ requirements and the suggestion that cloud cuckoo land has at last been found (apparently it is in Denmark), it is time to ask if there is a disconnect between commercial reality and privacy requirements. And whose fault is it? You may have missed the story about the Danish data protection regulator and the application from a local education authority to use cloud computing for certain purposes. Summarising wildly, Datatilsynet told Odense Municipality that it could not use Google Apps online office suite with calendar and document processing features because Google Ireland was not to be trusted. Among other objections, the Datatilsynet view was that the local authority had done insufficient risk assessment. There is a short account here and the full rejection is here.

Read more from the Editor’s Blog on SCL.

[From the article:

The reaction has included the suggestion that Denmark is not part of the real world.

… Getting in the way of the cloud is seen as standing in the way of progress and practically Luddite.

[From the brief account:

The Data Protection Agency gives five reasons for its rejection.

1. The municipality has not documented that the data to be processed with Google Apps will not be transferred to data centres outside of the EU covered by the EU Commission’s safe harbour regime. [Location, location, location Bob]

2. The risk assessment done by the municipality with respect to the security of the data is not deemed satisfactory, e g with respect to encryption of data. [Security Bob]

3. The data processing agreement between the municipality and Google does not comply with the requirements under the Danish Act that the terms of the agreement can only be altered on the instruction by the municipality. [Google can change the rules at whim... Bob]

4. The Data Protection Agency considers that the municipality is not able to comply with the rule under the Danish Act that requires the municipality to be in efficient control with respect to whether the security measures to be observed by Google as data processor are in fact complied with. [Google is not under control Bob]

5. The Data Protection Agency considers that the municipality has not shown that the requirements under the Danish Act will be complied with, among other things with respect to that data after use shall be deleted and no recreation possible. [Does Google own the data? Will they permanently archive it? Bob]

More Cloudiness revealed?

March 10, 2011

Wikileaks and Freedom, Autonomy and Sovereignty in the Cloud

You Have No Sovereignty Where We Gather – Wikileaks and Freedom, Autonomy and Sovereignty in the Cloud, Balázs Bodó - Budapest University of Technology and Economics; Stanford Law School Center for Internet and Society, March 7, 2011

  • "Wikileaks represents a new type of (h)activism, which shifts the source of potential threat from a few, dangerous hackers and a larger group of mostly harmless activists – both outsiders to an organization – to those who are on the inside. For insiders trying to smuggle information out, anonymity is a necessary condition for participation. Wikileaks has demonstrated that the access to anonymity can be democratized, made simple and user friendly. Being Anonymous in the context of Wikileaks has a double promise: it promises to liberate the subject from the existing power structures, and in the same time it allows the exposure of these structures by opening up a space to confront them. The Wikileaks coerced transparency, however, is nothing more than the extension of the Foucauldian disciplinary power to the very body of state and government. While anonymity removes the individual from existing power relations, the act of surveillance puts her right back to the middle. The ability to place the state under surveillance limits and ultimately renders present day sovereignty obsolete. It can also be argued that it fosters the emergence of a new sovereign in itself. I believe that Wikileaks (or rather, the logic of it) is a new sovereign in the global political/economic sphere. But as it stands now, Wikileakistan [I like it! Bob] shares too much with the powers it wishes to counter. The hidden power structures and the inner workings of these states within the state are exposed by another imperium in imperio, a secretive organization, whose agenda is far from transparent, whose members, resources are unknown, holding back an indefinite amount of information both on itself and on its opponents. I argue that it is not more secretive, one sided transparency which will subvert and negate the control and discipline of secretive, one sided transparency, it is anonymity."

A minor ethical breach? Will “I didn't mean to...” be an adequate defense?

OH: Trouble not over for official fired over e-mail snooping

March 11, 2011 by Dissent

Randy Ludlow reports:

The former top lawyer at the Ohio Department of Public Safety faces professional misconduct charges because he intercepted confidential e-mails involving the state inspector general and others.

Joshua Engel has been charged by the state’s legal-ethics watchdog with misconduct that interfered with the administration of justice and that calls into question his fitness to practice law.

Engel was fired last year after officials discovered that he had ordered the installation of a computer “filter” that automatically copied him on e-mails between Public Safety employees, the inspector general’s office and Dispatch reporters.

Read more in the Columbus Dispatch.

Previous coverage on can be found here.

[From the Columbus Dispatch article:

Columbus lawyer Larry James, who represents Engel, said he hopes to reach an agreement specifying Engel's punishment and that a public reprimand or stayed six-month suspension of his law license appears to be appropriate.

"We think the lack of intent (to obtain confidential information) carries the day," James said . "No one has an expectation of privacy when an employer has the right to monitor the e-mails of any employee."

If the search comes to you, is it a search?

Law Enforcement Use of Global Positioning (GPS) Devices to Monitor Motor Vehicles: Fourth Amendment Considerations

March 11, 2011 by Dissent

From the Congressional Research Service:

Alison M. Smith, Legislative Attorney, February 28, 2011

This report discusses the basics of GPS technology, society’s reliance on it, and some of the related legal and privacy implications. In addition, the report examines legislative and judicial responses on both federal and state levels.

Read the report on CRS. h/t

For my Data Analysis students

How Big Data Justifies Mining Your Social Data

"Paul Krill reports that one of the big uses of the new "Big Data" analytics technology is to mine the information people post through social networking. Which led him to ask 'What gives Twitter, Facebook, et al. the right to mine that data?' It turns out, users do when they sign up for social networking services, even if they don't realize that — but less clear is the ownership of other information on the Web that these tools also mine."

It couldn't happen to a nicer bunch of guys... I think they should pay. Otherwise companies like this could use frivolous lawsuits to chip away at competitors or anyone else they don't like.

Copyright Troll Complains of Defendant's Legal Fees

"Copyright enforcement company Righthaven, accused of coercing defendants into settling with threats of damages of $150,000 and forfeiture of the defendants' website domain names, is complaining that one of its litigation foes is needlessly running up legal costs that Righthaven may end up having to pay. In one of its more extensively-litigated cases, Righthaven sued the Democratic Underground last year after a message-board poster re-posted the first four paragraphs of a 34-paragraph Review-Journal story. After suffering a fair-use setback in another case involving a partial story post, Righthaven tried to drop its suit against the Democratic Underground, which would have resulted in a finding of 'no infringement.' But the Democratic Underground is pressing for Righthaven to pay its attorney's fees and says new evidence had surfaced that would bolster their case. 'Defendants agree that this case should be over — indeed, it should never have started. But it should not end until Righthaven is called to account for the cost of the defense it provoked,' say attorneys for the EFF. 'To allow Righthaven to avoid compensating those who have no choice but to defend would be unjust and unsupportable.' In related news, Righthaven has filed five more lawsuits, bringing their total since March 2010 to 246 lawsuits."

(Related) Another “We have no sense of humor (or any other sense)” lawsuit

US Lawyers Target Swedish Pirate, and His Unicorn

"When a Swedish citizen identified as Ryan heard about US movie studio Liberty Media's plan to get copyright infringers to confess and voluntarily pay up, he couldn't stop himself from sending them a satirical email promising that he will pay 'from the pot of gold I got at the leprechaun at the end of the rainbow', regardless of scathing criticism of the studio from his unicorn. However, despite his location, the jesting nature of the email, and his insistence that he has never downloaded anything for which the studio is suing, Liberty Media's lawyers have taken the 'confession' seriously, and have issued a subpoena to Google for personal information related to Ryan's Gmail account. In a phone call, the legal team affirmed their determination to 'hunt him down, all the way to Sweden if need be.'"

Unless most of the big players follow suit, this will result in increased tax revenue and therefore be adapted by other states.

Amazon ends affiliate program in Illinois is ending another affiliates program over states' efforts to collect sales tax.

The Internet retailer notified its affiliates in Illinois yesterday that it would sever their business relationships after Illinois Gov. Pat Quinn signed into law a bill that would require in-state affiliates to collect state sales tax on purchases made by Illinois residents. Affiliates place ads for retailers on their Web sites and get paid when customers make purchases via the ads.

For my Computer Security students. Perhaps I could integrate this into my “no cellphones in the classroom” policy.

New Attack Can Disable Phones Via SMS

"A pair of security researchers from Germany demonstrated several techniques at the CanSecWest conference here Wednesday that enable them to remotely reboot, shut down or even completely disable many popular mobile phones with SMS messages. The technique that Nico Golde and Collin Mulliner discussed relies on setting up a GSM network and sending specially crafted SMS messages to handsets. The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent."

No comments: